No, I didn't skip the middle step.
I have turned around this problem for days, googleized a lot, I didnt find a clue.
Why is semodule looking in a inexistant directory ?
I suspect a configuration problem, but where ?????
Message du 06/10/06 04:28 De : "Joshua Brindle" method@gentoo.org A : "Pierre JUHEN" pierre.juhen@wanadoo.fr Copie à : fedora-selinux-list@redhat.com Objet : Re: Trouble with module
Pierre JUHEN wrote:
To correct error messages appearing in the audit.log, I ran the procedure described in the audit2allow manual page.
Here is the .te file :
module local 1.0;
require { class dir search; class fd use; class fifo_file write; class file { read write }; class netlink_route_socket create; class unix_stream_socket { read write }; type apmd_log_t; type cupsd_config_t; type cupsd_t; type dovecot_auth_t; type dovecot_t; type etc_mail_t; type etc_runtime_t; type hald_t; type home_root_t; type hostname_t; type restorecon_t; type semanage_t; type unconfined_t; type user_home_dir_t; type usr_t; type xdm_t; role system_r; };
allow cupsd_config_t apmd_log_t:file { read write }; allow cupsd_t apmd_log_t:file { read write }; allow dovecot_auth_t self:netlink_route_socket create; allow dovecot_t etc_runtime_t:file read; allow dovecot_t unconfined_t:fifo_file write; allow dovecot_t xdm_t:fd use; allow hald_t home_root_t:dir search; allow hostname_t etc_mail_t:file read; allow hostname_t unconfined_t:fifo_file write; allow hostname_t usr_t:file read; allow hostname_t xdm_t:fd use; allow restorecon_t xdm_t:fd use; allow semanage_t unconfined_t:unix_stream_socket { read write }; allow semanage_t user_home_dir_t:dir search;
When I try to load the module using "semodule -i local.pp"
Iget :
libsepol.module_package_read_offsets: wrong magic number for module package: expected 4185718671, got 4185718669 libsemanage.semanage_load_module: Error while reading from module file/etc/ selinux/targeted/modules/tmp/modules/toto.mod.
did you build a policy package correctly using the following commands:
checkmodule -M -m local.te -o local.mod semodule_package -m local.mod -o local.pp semodule -i local.pp
it looks like you probably skipped the middle step..
Pierre JUHEN wrote:
No, I didn't skip the middle step.
I have turned around this problem for days, googleized a lot, I didnt find a clue.
Why is semodule looking in a inexistant directory ?
the directory is there when the operation fails. semodule copies everything from modules/active to modules/tmp to operate on it and when it reads that file (toto.mod) it fails because it is a policy module and not a policy package.
try semodule -r toto
though I don't know how that file got there in the first place, semodule should have never accepted it
I suspect a configuration problem, but where ?????
Message du 06/10/06 04:28 De : "Joshua Brindle" method@gentoo.org A : "Pierre JUHEN" pierre.juhen@wanadoo.fr Copie à : fedora-selinux-list@redhat.com Objet : Re: Trouble with module
Pierre JUHEN wrote:
To correct error messages appearing in the audit.log, I ran the procedure described in the audit2allow manual page.
Here is the .te file :
module local 1.0;
require { class dir search; class fd use; class fifo_file write; class file { read write }; class netlink_route_socket create; class unix_stream_socket { read write }; type apmd_log_t; type cupsd_config_t; type cupsd_t; type dovecot_auth_t; type dovecot_t; type etc_mail_t; type etc_runtime_t; type hald_t; type home_root_t; type hostname_t; type restorecon_t; type semanage_t; type unconfined_t; type user_home_dir_t; type usr_t; type xdm_t; role system_r; };
allow cupsd_config_t apmd_log_t:file { read write }; allow cupsd_t apmd_log_t:file { read write }; allow dovecot_auth_t self:netlink_route_socket create; allow dovecot_t etc_runtime_t:file read; allow dovecot_t unconfined_t:fifo_file write; allow dovecot_t xdm_t:fd use; allow hald_t home_root_t:dir search; allow hostname_t etc_mail_t:file read; allow hostname_t unconfined_t:fifo_file write; allow hostname_t usr_t:file read; allow hostname_t xdm_t:fd use; allow restorecon_t xdm_t:fd use; allow semanage_t unconfined_t:unix_stream_socket { read write }; allow semanage_t user_home_dir_t:dir search;
When I try to load the module using "semodule -i local.pp"
Iget :
libsepol.module_package_read_offsets: wrong magic number for module package: expected 4185718671, got 4185718669 libsemanage.semanage_load_module: Error while reading from module file/etc/ selinux/targeted/modules/tmp/modules/toto.mod.
did you build a policy package correctly using the following commands:
checkmodule -M -m local.te -o local.mod semodule_package -m local.mod -o local.pp semodule -i local.pp
it looks like you probably skipped the middle step..
I did semodule -r toto :
libsepol.module_package_read_offsets: wrong magic number for module package: expected 4185718671, got 4185718669 libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/toto.mod. semodule: Failed!
semodule -r local
libsemanage.semanage_direct_remove: Module local was not found. semodule: Failed on local!
[root@pierre ~]# ls -lZ /etc/selinux/targeted/modules/active/modules -rw-r--r-- root root root:object_r:semanage_store_t toto.mod -rw-r--r-- root root root:object_r:semanage_store_t toto.pp -rw-r--r-- root root system_u:object_r:semanage_store_t toto.te
I don't understand.
Thank you for your help.
Joshua Brindle a écrit :
Pierre JUHEN wrote:
No, I didn't skip the middle step.
I have turned around this problem for days, googleized a lot, I didnt find a clue.
Why is semodule looking in a inexistant directory ?
the directory is there when the operation fails. semodule copies everything from modules/active to modules/tmp to operate on it and when it reads that file (toto.mod) it fails because it is a policy module and not a policy package.
try semodule -r toto
though I don't know how that file got there in the first place, semodule should have never accepted it
I suspect a configuration problem, but where ?????
Message du 06/10/06 04:28 De : "Joshua Brindle" method@gentoo.org A : "Pierre JUHEN" pierre.juhen@wanadoo.fr Copie à : fedora-selinux-list@redhat.com Objet : Re: Trouble with module
Pierre JUHEN wrote:
To correct error messages appearing in the audit.log, I ran the procedure described in the audit2allow manual page.
Here is the .te file :
module local 1.0;
require { class dir search; class fd use; class fifo_file write; class file { read write }; class netlink_route_socket create; class unix_stream_socket { read write }; type apmd_log_t; type cupsd_config_t; type cupsd_t; type dovecot_auth_t; type dovecot_t; type etc_mail_t; type etc_runtime_t; type hald_t; type home_root_t; type hostname_t; type restorecon_t; type semanage_t; type unconfined_t; type user_home_dir_t; type usr_t; type xdm_t; role system_r; };
allow cupsd_config_t apmd_log_t:file { read write }; allow cupsd_t apmd_log_t:file { read write }; allow dovecot_auth_t self:netlink_route_socket create; allow dovecot_t etc_runtime_t:file read; allow dovecot_t unconfined_t:fifo_file write; allow dovecot_t xdm_t:fd use; allow hald_t home_root_t:dir search; allow hostname_t etc_mail_t:file read; allow hostname_t unconfined_t:fifo_file write; allow hostname_t usr_t:file read; allow hostname_t xdm_t:fd use; allow restorecon_t xdm_t:fd use; allow semanage_t unconfined_t:unix_stream_socket { read write }; allow semanage_t user_home_dir_t:dir search;
When I try to load the module using "semodule -i local.pp"
Iget :
libsepol.module_package_read_offsets: wrong magic number for module package: expected 4185718671, got 4185718669 libsemanage.semanage_load_module: Error while reading from module file/etc/ selinux/targeted/modules/tmp/modules/toto.mod.
did you build a policy package correctly using the following commands:
checkmodule -M -m local.te -o local.mod semodule_package -m local.mod -o local.pp semodule -i local.pp
it looks like you probably skipped the middle step..
On Fri, 2006-10-06 at 20:55 +0200, Pierre JUHEN wrote:
I did semodule -r toto :
libsepol.module_package_read_offsets: wrong magic number for module package: expected 4185718671, got 4185718669 libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/toto.mod. semodule: Failed!
semodule -r local
libsemanage.semanage_direct_remove: Module local was not found. semodule: Failed on local!
[root@pierre ~]# ls -lZ /etc/selinux/targeted/modules/active/modules -rw-r--r-- root root root:object_r:semanage_store_t toto.mod -rw-r--r-- root root root:object_r:semanage_store_t toto.pp -rw-r--r-- root root system_u:object_r:semanage_store_t toto.te
I don't understand.
Thank you for your help.
you need to delete toto.te and toto.mod from that directory. Those should have never been there, the module directory is a private directory that only libsemanage should be writing to.
Joshua Brindle a écrit :
Pierre JUHEN wrote:
No, I didn't skip the middle step.
I have turned around this problem for days, googleized a lot, I didnt find a clue.
Why is semodule looking in a inexistant directory ?
the directory is there when the operation fails. semodule copies everything from modules/active to modules/tmp to operate on it and when it reads that file (toto.mod) it fails because it is a policy module and not a policy package.
try semodule -r toto
though I don't know how that file got there in the first place, semodule should have never accepted it
I suspect a configuration problem, but where ?????
Message du 06/10/06 04:28 De : "Joshua Brindle" method@gentoo.org A : "Pierre JUHEN" pierre.juhen@wanadoo.fr Copie à : fedora-selinux-list@redhat.com Objet : Re: Trouble with module
Pierre JUHEN wrote:
To correct error messages appearing in the audit.log, I ran the procedure described in the audit2allow manual page.
Here is the .te file :
module local 1.0;
require { class dir search; class fd use; class fifo_file write; class file { read write }; class netlink_route_socket create; class unix_stream_socket { read write }; type apmd_log_t; type cupsd_config_t; type cupsd_t; type dovecot_auth_t; type dovecot_t; type etc_mail_t; type etc_runtime_t; type hald_t; type home_root_t; type hostname_t; type restorecon_t; type semanage_t; type unconfined_t; type user_home_dir_t; type usr_t; type xdm_t; role system_r; };
allow cupsd_config_t apmd_log_t:file { read write }; allow cupsd_t apmd_log_t:file { read write }; allow dovecot_auth_t self:netlink_route_socket create; allow dovecot_t etc_runtime_t:file read; allow dovecot_t unconfined_t:fifo_file write; allow dovecot_t xdm_t:fd use; allow hald_t home_root_t:dir search; allow hostname_t etc_mail_t:file read; allow hostname_t unconfined_t:fifo_file write; allow hostname_t usr_t:file read; allow hostname_t xdm_t:fd use; allow restorecon_t xdm_t:fd use; allow semanage_t unconfined_t:unix_stream_socket { read write }; allow semanage_t user_home_dir_t:dir search;
When I try to load the module using "semodule -i local.pp"
Iget :
libsepol.module_package_read_offsets: wrong magic number for module package: expected 4185718671, got 4185718669 libsemanage.semanage_load_module: Error while reading from module file/etc/ selinux/targeted/modules/tmp/modules/toto.mod.
did you build a policy package correctly using the following commands:
checkmodule -M -m local.te -o local.mod semodule_package -m local.mod -o local.pp semodule -i local.pp
it looks like you probably skipped the middle step..
selinux@lists.fedoraproject.org